Free template
BC public bodies
March 2026
FIPPA Privacy Impact Assessment Template for SaaS Vendors
By Joshua van Es, Founder — Upper Harbour
A structured framework for BC public bodies to assess the jurisdictional risk of SaaS tools that store sensitive personal information outside Canada. Designed for the amended FIPPA framework (Bill 22, 2021).
What this template is for
The 2021 FIPPA amendments require BC public bodies to complete a privacy impact assessment before storing sensitive personal information outside Canada. This template provides a structured framework specifically for evaluating SaaS vendor jurisdictional risk — the most common trigger for this requirement. Complete one for each SaaS tool that stores sensitive personal information in a foreign jurisdiction. Read the full FIPPA SaaS compliance guide →
Not legal advice
This template is an informational compliance resource. It is not a substitute for legal advice. Consult your organization's privacy officer or legal counsel to confirm the template meets your specific obligations under FIPPA and the applicable BC government directions on privacy impact assessments.
Template
1. Initiative & Data Scope
Establish what personal information is involved and why the SaaS tool is being used.
Public Body Name
[Name of your organization]
SaaS Vendor / Tool Name
[Vendor name and specific product/service]
Assessment Date
[Date of this assessment]
Prepared By
[Name and role — e.g., Privacy Officer, IT Director]
Service Description
[Brief description of the SaaS tool and its role in your operations]
Categories of Personal Information Processed
☐ Employee data
☐ Client/citizen data
☐ Health information
☐ Student records
☐ Financial data
☐ Contact information
☐ Biometric data
☐ Usage/behavioural data
Is the Personal Information Sensitive?
☐ Yes
☐ No
☐ Requires further assessment
FIPPA does not define "sensitive." The BC Privacy Commissioner's guidance indicates that medical, financial, genetic, and biometric information is almost always sensitive. Context matters — any information can be sensitive depending on use. If sensitive, the full PIA assessment below is required before storing outside Canada.
Purpose and Necessity
[Why this tool is required — is there a Canadian-hosted or Canadian-controlled alternative?]
Approximate Volume of Records
[Number of individuals whose personal information is processed]
2. Vendor Jurisdiction & Data Storage
Determine the vendor's jurisdictional chain and where personal information is stored and accessed.
Parent Company Name & Jurisdiction
[Ultimate parent entity and country of incorporation — e.g., Microsoft Corporation, United States]
Data Storage Location(s)
[Where personal information is stored at rest — e.g., Canada Central (Toronto), US East (Virginia)]
Is Data Stored Outside Canada?
☐ Yes — stored outside Canada
☐ No — stored in Canada only
☐ Mixed — some data in Canada, some outside
☐ Unknown
Is Data Accessed from Outside Canada?
☐ Yes — vendor staff access from outside Canada
☐ No — access restricted to Canada
☐ Unknown
Sub-processors with Access to Personal Information
[List any third parties with access to the data, their jurisdictions, and the nature of their access]
CLOUD Act Exposure
☐ US-parented — subject to CLOUD Act
☐ Canadian-parented — not subject to CLOUD Act
☐ Other foreign jurisdiction
The US CLOUD Act allows US authorities to compel US-incorporated companies to produce data regardless of where it is stored. A Canadian data centre does not eliminate this exposure if the vendor is US-parented.
Learn more about the CLOUD Act →
3. Foreign Jurisdiction Risk Assessment
Evaluate the legal framework of the jurisdiction where data is stored or accessed, as required by the FIPPA PIA directions.
Receiving Jurisdiction(s)
[Country/countries where data is stored, processed, or accessed]
Does the Foreign Jurisdiction Have Privacy Legislation?
☐ Yes — comprehensive privacy law
☐ Partial — sector-specific only
☐ No
For US-stored data: the US has sector-specific privacy laws (HIPAA, FERPA) but no comprehensive federal privacy law. State laws vary (e.g., California CCPA/CPRA).
Can Foreign Government Compel Access?
[Identify any laws that allow government access to data — e.g., US CLOUD Act, FISA Section 702, Patriot Act provisions. Assess the likelihood that such access could be compelled for your data.]
Rule of Law Assessment
[Does the jurisdiction have an independent judiciary, constitutional individual freedoms, and due process? The BC OIPC has indicated these are hallmarks of jurisdictions that adequately protect personal information.]
Likelihood of Unauthorized Access
Impact to Individuals if Unauthorized Access Occurs
4. Contractual & Technical Safeguards
Document the protections in place to mitigate jurisdictional risk.
Data Processing Agreement in Place?
☐ Yes — FIPPA-specific terms
☐ Yes — standard DPA only
☐ No
Contractual FIPPA Compliance Provisions
[Does the contract require the vendor to comply with FIPPA? Does it restrict further use/disclosure? Does it require breach notification? Does it require cooperation with FOI requests?]
Encryption
☐ Encrypted at rest
☐ Encrypted in transit
☐ Customer-managed encryption keys
☐ Vendor-managed keys only
Customer-managed encryption keys provide the strongest protection against foreign government access, as the vendor cannot decrypt data without the customer's key.
Access Controls
[What access controls limit who can view the data? Is access restricted to Canadian-based personnel? Is access logged?]
Vendor Security Certifications
☐ SOC 2 Type II
☐ ISO 27001
☐ ISO 27017 (cloud)
☐ ISO 27018 (PII in cloud)
☐ FedRAMP
☐ CCCS assessed
Data Minimization
[Has the personal information processed by this tool been minimized to only what is necessary? Can any PI be excluded or de-identified?]
5. Residual Risk Assessment
After accounting for all mitigations, assess the remaining risk.
Overall Residual Risk Level
☐ Low — Canadian-controlled vendor, Canadian data residency, minimal PI
☐ Moderate — Foreign-parented vendor with Canadian residency and contractual protections
☐ High — Sensitive PI stored in foreign jurisdiction by foreign-controlled vendor
☐ Unacceptable — No adequate mitigations for sensitive data in high-risk jurisdiction
Risk Justification
[Explain your residual risk rating. What specific factors drove the assessment? Reference the jurisdictional analysis from Section 3 and the mitigations from Section 4.]
Is There a Lower-Risk Alternative?
[Have you assessed Canadian-controlled alternatives? If so, why is this vendor preferred despite higher jurisdictional risk? Document the comparison. Use
Upper Harbour's Sovereignty Index to identify Canadian alternatives.]
6. Determination & Sign-Off
Record the final determination and required approvals.
Determination
☐ Approved — risk acceptable with current safeguards
☐ Approved with conditions — additional mitigations required before proceeding
☐ Not approved — risk unacceptable, alternative required
Conditions (if applicable)
[List any required mitigations that must be implemented before the tool can be used — e.g., enable Canadian data residency, implement customer-managed encryption, restrict data categories]
Review Schedule
☐ Annual review
☐ Upon vendor change (acquisition, new sub-processor, data centre change)
☐ Upon regulatory change
Approved By
[Name, title, date — must be the head of the public body or delegate with authority under FIPPA]
Automate this process
HarbourScan can populate Sections 2 and 3 of this template automatically for your entire SaaS stack — identifying parent jurisdiction, CLOUD Act exposure, and data residency options for every tool in minutes. Request a scoping call →